@lucas1

You've locked yourself up in a corner.
For example : I don't recall how things were done several version ago, and I'm pretty sure very few will be able to do so.

You can't upgrade the acme package, as you can only install/upgrade pfSense packages if you use the latest pfSense version : that 2.7.2. pfSense 2.5.0 was from 2019 / 2020 ?

The thing is : Cloudflare can update (change) the way the DNS api works.
Accordingly, the acme.sh pfSense will get updated also ....

So, get the current pfSense version first. Install the latest acme pfSense package. Then try again.

@lucas1 said in Failure updating ACME certificate - 2:

Please check log file for more details: /tmp/acme/mydomain/acme_issuecert.log

You've checked ?

@MordyT said in ACME client can't check for DNS entries due to Error 60:

url='https://cloudflare-dns.com'

exist ??

Set DNS-Sleep to at least :

c4df8f8d-832c-486f-838b-61e5891e091b-image.png

@dmorda I also had problems renewing with Godaddy API and the only solution I found was moving to Cloudflare where renewals are working perfectly.

I think I had the same issue with ACME - LE and DA dns check. See this topic
This one was also solved with the update/reverted code.
Thank you for the quick fix release @jimp

Noticed there was a new version today 0.8_1 with changes reverted from 0.8 regarding failing challenge checks that were working previously.

Installed this update, changed the dns wait to 60 seconds again and tested the certificate renewal.
Worked like a charm again on the first try.

Thank you very much for this valuable information. Following these suggestions worked out well for me.

Regards.

@ak4 said in Possible ACME bug in 23.09.1:

ended up being related to pfBlocker

pfBlocker, by itself, when you install it, does 'nothing'.
I'll advise you strongly to fact check this and not just believe me ^^

So, yes, it's actually easy : you install 'some DNSBL' or IP list and suddenly you can't, from your LANs, reach some destinations on the internet.
And also the other way around : suddenly, you block sources that needs to contact your pfSense, like the Letenscrypt verification service, as you've picked a list that contains these sources (IP, etc).
I presume you manged to do just that.

Remember : you use these DNSBL lists and IP lists 'as is'. But shouldn't you check them before using them ?
It has happened : a list conatins all the Amazon WS IPs. Right after you use this list, suddenly, pfBlockerng can't update any list anymore, as most lists are hosted on Amazon WS.
Or : also pure fun : some IP list managed to include all RFC1918 and suddenly pfBlocker start to block all your LAN devices and it's "Internet & pfSense is broken again" time, or its actually the "the admin didn't do it's job" time.

What I normally do if I use a new list : I use this package :
371e39b4-7595-4edb-831e-8ce6f15e4b34-image.png

and I make notes, like : installed on 2024-04-04 IP list Xyz, and then I see what happens. if somethings strange happens, I undo what I've done last, and often the issue is solved. Then I go through the 'why' phase.

But before testing : don't you want de latest acme version (with the latest correction etc) ?

I'm using : 23.09.1 (actually 24.03-BETA since a week as it is rock solid) and :

1c15cdd0-5d1c-4542-a495-088e0328c77a-image.png

which came out .... weeks ago.
Why wait ?

@DominikHoffmann said in Is the reason for renewal failure my use of dynamic DNS?:

the dynamic DNS name of my router locally

That is the DDNS name as it is known to the 'outside' world, also known as the Internet ?
Easy : don't.
Use :

6efb80c0-ab1f-420e-b2a1-08d389b9e282-image.png

It's this domain name that you have to 'own' (actually : rent) and it's this domain name that you have to use with ACME to get a certificate from Letsencrypt that includes the "Subject Alt Names" like "pfSense.your-local-domain.name"

You can also ask for a wildcard certificate like "Subject Alt Names" :

and now you can export the certificate and use it also for your NAS :
NAS.your-local-domain.name
and your printer :
printer.your-local-domain.name

That is : both the NAS and 'printer' need to have some sort of GUI that permits you to import the certificate you've exported from pfSense.

@DominikHoffmann said in Is the reason for renewal failure my use of dynamic DNS?:

Starting with my own I am now notified that my certificate cannot be renewed

And the reason was ?
The acme package logs a lot, full with details mentioning everything that goes well, and also what doesn't go well. The latter will interest you.
It's here : /tmp/acme/[domain account]/ and look for the file that has the log extension.

@phantom99 just glad you got it sorted.. I could talk for hours and hours about dns ;)

@Flemmingss
https://forum.netgate.com/topic/161052/let-s-encrypt-certificate-authority-expiring-soon/7

@frankz
Sorry, I don't know what haproxy is - not using it.
Doesn't seem to be discussed in this sub forum as here it's "ACME" only.

@frankz

This : http://xxxxxxx.ddns.net/, or actually this "xxxxxxx.ddns.net" should resolve to an A record (or AAAA).
"DNS" (mine, your, and the one ACME (Letsencrypt) uses should resolve "xxxxxxx.ddns.net" to an IP address, an IP address whicg has port "80" open, so a (mini) web server replies, and will answer when arequest comes in asking for this file :
.well-known/acme-challenge/xxxxxxxxxxxxxxxxxx
If Letsencryot gets this file, it will load it - and check if the content matches with what it has given to ACME.

The thing is : Letsencrypt was 'asking' on "xxxxxxx.ddns.net", the IP address, but found the door closed.

Normally, the "xxxxxxx.ddns.net" points to your WAN IP, so you need to have a firewall rule on your WAN that permits TCP traffic on port 80 to come so it can reach the ACME web server instance, that receives the request, and answers it.
Keep in mind that ACME will fire up a mini web server, but will do handle any firewall stuff for you.

If you have a ISP router in front of your pfSense : you will have to "NAT" that router also.

You also have to deal with the fact that pfSense uses itself the port 80 for the GUI access, so you will have to move that, as the GUI listens on all interfaces, WAN included ( ! ).

By now, you will probably think : "hey, this (stand alone) ACME web server method isn't that good at all". And that's correct. It's a method that you really don't want to use, as you need to manually prepare the renewal every time. You don't want to leave your port 80 TCP open to the net all the time.

@AudioDave said in Failure updating ACME certificate:

However, my original question is simply how to resolve the fact that the automatic renewal is failing

I did point out your problem several days ago and what you needed to do.

The question is:

how to let the ACME-package run the http-challenge on the Virtual IPs?

But I worked around this already (customer wanted traefik for the additional services).

Did you ever get this sorted? I have a similar issue.